Signed BAA
A BAA defines how CayesDesk may create, receive, maintain, transmit, safeguard, and return or delete PHI for your practice.
Security & BAA
Patient safety before the first live call.
CayesDesk is built for full HIPAA compliance under a signed BAA, with clear clinical boundaries and controlled staff handoffs.
BAA signed before patient-facing PHI handling
Approved scripts and SOPs before launch
No medical, dental, or emergency advice
Staff keeps every clinical decision
Why the BAA matters
A phone call can become protected health information in seconds.
A Business Associate Agreement is the written contract your practice uses when a vendor may create, receive, maintain, or transmit PHI on your behalf. For CayesDesk, that can include live call audio, transcripts, caller ID, appointment requests, consult interest, summaries, and routing details.
HIPAA is not just paperwork here. It determines what CayesDesk may collect, where it may send information, who may access it, how it is safeguarded, and when the caller must be routed back to licensed staff.
We value HIPAA because our team comes from healthcare operations, where patient privacy, careful documentation, and disciplined information handling are daily requirements.
Compliance layers
Compliance is a workflow, not a badge.
CayesDesk combines signed agreements, controlled scripts, staff routing, data safeguards, and safety boundaries before a practice goes live.
Minimum necessary
The concierge captures only what staff needs for follow-up: caller identity, contact, consult interest, language, timing, and routing context.
Patient safety boundaries
Clinical, diagnostic, treatment, medication, aftercare, and emergency questions are routed to your team or 911 using approved language.
Controlled access
Call summaries and workflow destinations are configured around approved staff recipients, access expectations, and escalation contacts.
Minimum necessary data flow
Collect what staff needs. Route the rest.
CayesDesk is configured to capture the least practical information needed for follow-up: name, phone, service interest, location, preferred timing, language, and callback context.
Patient call
Approved concierge script
Staff-ready handoff
It should not solicit diagnosis, Social Security numbers, card data, treatment decisions, or sensitive clinical detail unless your practice has explicitly approved that workflow.
Signing and launch
Friction should never be the reason patients are less protected.
We make the compliance path simple: DocuSign-style secure e-signature, or portal-based signing if your team prefers. No live patient-facing coverage begins until the right documents and workflows are approved.
01
Business review
Demo forms, pricing conversations, and pilot requests stay business-side. Please do not enter patient information in public forms.
02
Secure BAA signature
We send the Business Associate Agreement by DocuSign-style secure e-signature, or provide portal-based signing if that is the cleaner path for your practice.
03
SOP approval
Scripts, emergency language, escalation rules, staff recipients, and integration destinations are approved before live calls begin.
04
Live PHI handling
Patient-facing coverage starts only after BAA and SOP signoff. Friction should never be the reason patients are less protected.
CRM, PMS, EHR, and messaging systems
Your stack stays your stack. CayesDesk routes into it cleanly.
CayesDesk can send structured summaries into approved destinations such as practice-management systems, aesthetic CRMs, scheduling tools, secure staff notifications, webhooks, or API handoffs where supported. The compliance work is deciding what fields are allowed, which staff receive them, where they land, how long they are retained, and what happens if a destination is unavailable.
Dentrix, Open Dental, Eaglesoft, Weave, NexHealth, RevenueWell
Zenoti, Boulevard, Aesthetic Record, PatientNow, Podium, Birdeye
Scheduling links, secure staff notifications, webhooks, and API handoffs where supported
SOP and legal safeguards
The guardrails are written before the phone rings.
Approved script library and change control
Emergency phrase handling and 911 language
Clinical question refusal language
Escalation matrix by location, service, urgency, and staff role
Subprocessor, legal, and BAA review before launch
Retention, deletion, and incident-contact expectations
No patient-call data used to train public AI models
No patient-facing launch before BAA and SOP approval
Legal packet